1

I have a question regarding IP Spoofing and authentication. I have an OpenVPN server in TUN mode with many untrusted clients in the same VPN network, and I was wondering if one client is able to spoof its VPN IP Address so that it can appear to the server like another client. Is there any way to prevent it?

I was thinking maybe if: 1) I assign static IP addresses to the clients then 2) Save the mapping IP address-TLS certificate for each client then 3) I can verify for each incoming packet to the server, the source IP address and the fingerprint (or Common Name) of the TLS connection that sent that packet and see if they match.

Is it possible and if yes, how?

I was reading that with tls-verify, I can verify that the client with certificate A belongs to 10.8.0.4 for example when the client connects to the OpenVPN server, but am I sure that all the packets with source IP address 10.8.0.4 belong to the client with certificate A? Basically I want to identify clients based on their IP address. Is there any script to verify this?

Thank you a lot for your attention. I hope I have been clear enough.

poli mi
  • 13
  • 3

1 Answers1

1

For specifying IP per client: You have a specific procedure "client config dir" for tying a key to a specific IP number. If you create a subdir "ccd" of the openvpn config directory, you can then specify that key/ip mapping files will be found there. In your openvpn.conf (or .ovpn on windows) :

client-config-dir ccd
ccd-exclusive

If you have a client with a key with the name "someclient", you can then create the file ccd/someclient, with the contents:

ifconfig-push 192.168.11.57 192.168.11.58

... which would force the client to use a tunnel between 192.168.11.57 and 192.168.11.58 (.57 being the client's IP). Create a new file for each client, with valid start/endpoint mappings (see the openvpn docs for valid IP pairs).

With this setup, no client will be accepted unless they have a CCD file, even if they have a valid key. And each client will have an explicit IP assigned to them. To lock out a client, simply delete the appropriate CCD file.

I have not tested whether it's possible for the client to somehow spoof sender IP, although I think that'd be tricky due to the tunnel nature of the connection (the server-side endpoint would not match). This is just an assumption though.

Joel Palmius
  • 201
  • 1
  • 5
  • Hi, Thank you very much for your answer. It is really useful to me but I have still one question. Your command assigns the IP address based on the certificate only the first time the client connects. Can I check later that the packets arriving from 192.168.11.57 actually are sent by "someclient"? – poli mi Aug 03 '15 at 14:33
  • Googling a bit, it seems tun devices are locked so that it's not possible to change the IP on the client side and expect the server to swallow that. However, tap devices accept other ips. So if you use tun + ccd, you can (if the information is correct) be entirely certain what you get from a CCD-assigned IP is indeed traffic from that client. I don't know how you'd "check" this though. The info about tun being locked on IP I got from here http://www.linuxquestions.org/questions/linux-networking-3/openvpn-ip-spoofing-719467/ see second response. – Joel Palmius Aug 03 '15 at 16:04